The present invention relates to the field of memory management, and more particularly to securing updates to a non-volatile memory used to store program code.
Many computer systems include a non-volatile memory to store basic input/output system (BIOS) program code. The BIOS code is usually the lowest layer of software in a computer system and acts as an interface between system hardware and higher-layer software. For example, the BIOS typically includes routines for managing system startup and for controlling various hardware components such as a wait-state generator, hardware timers, interrupt controllers and so forth.
Because BIOS routines interact extensively with system hardware, they are often invoked at a privilege level that allows unrestricted memory and I/O access. This makes the BIOS space (i.e., the memory space allocated to the BIOS) a particularly likely candidate for malicious attack. If unauthorized code (e.g., a computer virus) is substituted for BIOS code, the unauthorized code will likely be able to access a broad range of system devices that privilege-level protections would otherwise prevent. As a result, a successful attack on the BIOS space can result in considerable damage to a computer system, including the loss of sensitive information.
In modern computer systems, flash memory devices (e.g., flash electrically-erasable, programmable read-only memory (flash EEPROM)) are often used to store BIOS code. By sending the appropriate commands, flash devices can be erased and reprogrammed. While this makes it easier to install updated BIOS software, it also opens the door to malicious attack on the BIOS space. For example, some BIOS developers post updated BIOS code on sites of the World Wide Web (xe2x80x9cthe webxe2x80x9d) from which they can be downloaded and installed. One seeking to introduce unauthorized code into the BIOS space (i.e., an xe2x80x9cattackerxe2x80x9d) could modify the posted BIOS code or even intercept and modify the code during download. Alternatively an attacker might masquerade as a legitimate BIOS developer to induce a computer user to download and install unauthenticated code. For example, the attacker could post unauthenticated code on a website and represent the code as being provided by a legitimate developer.
FIG. 1 is a data flow diagram that illustrates one prior-art technique for preventing unauthorized access to the BIOS space. Initially, program code 10 is obtained in a computer system that includes a processor 22, a system memory 11, an updatable, non-volatile memory device 12, a bus 20 and an interrupt generator 28. When a data transfer program 19 is executed, write circuitry 26 within the processor 22 transfers the program code 10 across bus 20 along with commands to the flash device 12 to write the program code into a predetermined space within storage array 18. The interrupt generator 28 snoops the signals transferred across the bus 20 and can therefore detect when a write access to the flash device 12 is being attempted. In response to detecting a write access attempt, the interrupt generator 28 asserts an interrupt 29 to interrupt the processor 22. In response to the interrupt, the processor 22 invokes an interrupt service routine 27 (typically stored in system memory 11) to validate the source of the data write, for example, by determining whether a predetermined value is present in the program code 10 (e.g., header or trailer information).
If the interrupt service routine (ISR) 27 determines that the attempted write access to the flash device 12 is valid, the ISR 27 is exited and transfer of the program code 10 is resumed. To prevent repeated interrupt generation after the initial validation operation, the interrupt generator 28 may be disabled until after the transfer is complete.
One disadvantage of the above-described technique is that it is relatively easy to circumvent. For example, the vector to the ISR 27 can be changed so that when the interrupt from the interrupt generator 28 is received, a substitute ISR is invoked. This substitute ISR may then disable the interrupt generator without validating the program code 10 that is attempting to write to the flash device 12. Unauthorized program code may then be written to the flash memory device 12. Alternatively, an attacker may access the code of ISR 27 to learn the authenticating value (or set of values) that is expected in the program code 10 and where the authenticating value is stored. The attacker can then store the authenticating value in unauthorized program code so that the ISR 27 erroneously validates the unauthorized program code. Again, the unauthorized program code may be written to the flash memory device 12.
An apparatus and method for preventing unauthorized updates to a non-volatile memory are disclosed. A sequence of encoded values is received in a non-volatile memory device. The sequence of encoded values is decoded in a decoding circuit in the non-volatile memory device to generate a sequence of decoded values and the sequence of decoded values is stored in the non-volatile memory device.
Other features and advantages of the invention will be apparent from the accompanying drawings and from the detailed description that follows below.